[Samba] Domain Controller either fails to acquire or loses client machine identities after several hours

Fri Mar 23 15:10:43 GMT 2007

I am trying to use samba (version 3.0.24-4 on debian etch AMD64) as a 
primary domain controller and file server.

When I try to set up the domain controller - it sometimes works.
On occasion, I have been able to connect WinXP Pro machines, log in to 
the clients use domain accounts. However, the next morning after I had 
it working, I can no longer log into the machines. Windows refuses with 
a error message
"Windows cannot connect to the domain, either because the domain 
controller is down or otherwise unavailable, or because your computer 
account was not found. Please try again later. If this message continues 
to appear, contact your system administrator for assistance."

I have tried killing samba, destroying all the .tdb files, and 
rebuilding the domain from scratch. That worked once, but again the next 
morning I got the errors listed above. Now when I try to rebuild the 
samba server, I can supposedly add machines to the domain, but when I 
try to log on to them, I get the error above.

I have not touched the samba settings between when it worked and when it 
didn't.
The following checks and attempts to fix the problem do not make any 
difference.
1. Restart samba
2. Remove the machine account from the server, and then re-add to the 
domain.
3. Changing the sign-or-seal registry setting on the client.
patch
4. Checked that the clients are using the WINS service on the server.
5. The file-server stills work. I can access the files, from a client 
machine, after giving it my explicit domain account details.
6. Checked with multiple clients (all WinXP Pro - we don't have anything 
else) with different hardware - one even on a virtual machine.
7. Checked with multiple user accounts.
8. I have tried a variety of example smb.conf files from the HowTo and 
various other web pages. All the settings described as important are in 
there.  security = user    domain master = yes   preferred master = yes 
          domain logons = yes
9. There are is firewall on the server, and just default
10. The file server aspect works fine, and I can see and use shares 
after giving a user name and password.

Additional info:
There is another (WindowsXP ADC) on the same Ethernet segment. It is not 
  possible at the moment to test separating them onto different network 
segments.

The relevant log entries from a failed login are
[2007/03/23 09:21:32, 2] smbd/sesssetup.c:setup_new_vc_session(799) 
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2007/03/23 09:21:32, 2] smbd/sesssetup.c:setup_new_vc_session(799) 
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2007/03/23 09:21:32, 2] lib/access.c:check_access(323)  Allowed 
connection from  (130.XXX.XXX.43) [2007/03/23 09:21:32, 2] 
smbd/uid.c:change_to_user(186)
   change_to_user: SMB user  (unix user nobody, vuid 101) not permitted 
access to
  share IPC$.
[2007/03/23 09:21:32, 0] smbd/service.c:make_connection_snum(849)
   Can't become connected user!

I have checked the samba mailing lists - from where I got the above 
ideas. Additionally there seem to be quite a collection of similar 
problems for which no fix was ever presented, e.g.
http://lists.samba.org/archive/samba/2005-January/098829.html
http://lists.samba.org/archive/samba/2005-May/104872.html
http://lists.samba.org/archive/samba/2006-January/117154.html
http://lists.samba.org/archive/samba/2005-February/100725.html

Many thanks,
Ian.